Covert IT Security

Sneaking In

To detect holes in your company’s network security, penetration testers follow specific processes (see sidebar). But not all go so far as to sneak into buildings. Some conduct only external penetration tests. Denning Compliance Services in Minneapolis specializes in the banking industry—specifically smaller banks with $20 million to $300 million in deposits. Carl Boecher, Denning’s president and owner, says that his agents do all of their probing via computer from outside the bank’s walls.

That external probing may, however, include social engineering attacks in the form of “phishing” scams, where an e-mail purporting to come from someone inside the bank—the IT director, say—tries to trick employees into revealing their network IDs and passwords or some other information that would allow unauthorized access to the system.

NetSPI’s George says that external testing conducted via the Internet—probing open ports, Web sites, and applications for vulnerabilities that allow unauthorized access to a system—is not just the most common form of penetration testing but often the most valuable. Wireless applications and Web sites can provide “pathways into your organization for outsiders who don’t need to carry clipboards and risk sneaking into your building,” he says. “Bad guys will try to take the easiest route, with the lowest risk, to get to the valuable assets.”

For instance, if a public Web site has a way for visitors to enter information, such as user names, hackers will type in system commands that might enable them to break into the network behind the site. This type of attack, by so-called structured query language injection, is very common, experts say.

But there is no denying that social engineering and physical intrusion are the most glamorous parts of the penetration-testing business. To test security arrangements for the Republican National Convention in St. Paul last fall, NetSPI consultants tried to talk their way into off-limits areas of the city water department. Using both telephones and the Internet, they have successfully “phished” network user names and passwords out of employees in numerous client organizations. “We get anywhere from 5 percent to 75 percent of people to give us their correct credentials” with such scams, George says. “If you asked for social security numbers, you’d get some people to give you those, too.”